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(54) Apparatus and method for providing network security 



(57) A network security apparatus for a computer 
network is described. At least one user coupled to the 
apparatus, the at least one user selected from a group 
consisting of a host computer and a second untrusted 
network. The apparatus comprises a secure network in- 
terface unit (SNIU) having a first coupling to said at least 
one user and a second coupling to the computer net- 
work, which operates using a layered communications 
protocol, said SNIU providing security control by con- 
trolling access to the computer network at least one lay- 



er above the transport layer of the communications pro- 
tocol. The SNIU is implemented to create a global se- 
curity perimeter for end-to-end communications and at 
least a portion of a security management architecture, 
including a SNIU security manager (SSM) for causing 
said SNIU to be initialized, operated and configured for 
protecting the security of communications transmitted 
through said SNIU, said SSM capable of participating in 
the implementation of at least one of a plurality of secu- 
rity policies. 
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Description 

Technical Field of the Invention 

[0001] The present invention relates in general to se- 
cure and multi-level secure (MLS) networks and in par- 
ticular to apparatus and method for providing security 
and multi-level security for a non-secure network. 

Background Art 

[0002] Multi-level secure (MLS) networks provide a 
means of transmitting data of different classification lev- 
els (i.e. Unclassified, Confidential, Secret and Top Se- 
cret) over the same physical network. To be secure, the 
network must provide the following security functions: 
data integrity protection, separation of data types, ac- 
cess control, authentication and user identification and 
accountability. 

[0003] Data integrity protection ensures that data sent 
to a terminal is not modified en route. Header information 
and security level are also protected against uninvited 
modification. Data integrity protection can be performed 
by checksum routines or through transformation of data, 
which includes private key encryption and public key en- 
cryption. 

[0004] Separation of data types controls the ability of 
a user to send or receive certain types of data. Data 
types can include voice, video, EMail, etc. For instance, 
a host might not be able to handle video data, and, there- 
fore, the separation function would prevent the host from 
receiving video data. The system should include se- 
quential review prior to data release where a plurality of 
users would review the data to approve release prior to 
actual release and the use of data type to separate man- 
agement type data from ordinary user traffic. 
[0005] Access control restricts communication to and 
from a host. In rule based access control, access is de- 
termined by the system assigned security attributes. For 
instance, only a user having Secret or Top Secret secu- 
rity clearance might be allowed access to classified in- 
formation. In identity based access control, access is 
determined by user-defined attributes. For instance, ac- 
cess may be denied rf the user is not identified as an 
authorized participant on a particular project. For control 
of network assets, a user may be denied access to cer- 
tain elements of the network. For instance, a user might 
be denied access to a modem, or to a data link, or to 
communication on a path from one address to another 
address. 

[0006] Identification of a user can be accomplished by 
a unique name, password, retina scan, smart card or 
even a key for the host. Accountability ensures that the 
a specific user is accountable for particular actions. 
Once a user establishes a network connection, it may 
be desirable that the user's activities be audited such 
that a "traif is created. If the user's actions do not con- 
form to a set of norms, the connection may be terminat- 



ed. 

[0007] Currently, there are three general approaches 
to providing security for a network: trusted networks, 
trusted hosts with trusted protocols, and encryption de- 
5 vices. The trusted network provides security by placing 
security measures within the configuration of the net- 
work. In general, the trusted network requires that ex- 
isting protocols and, in some cases, physical elements 
be replaced with secure systems. In the Boeing MLS 
10 Lan, for instance, the backbone cabling is replaced by 
optical fiber and all access to the backbone is mediated 
by security devices. In the Verdix VSLAN, similar secu- 
rity devices are used to interface to the network, and the 
network uses encryption instead of fiber optics to protect 
15 the security of information transmitted between devices. 
VSLAN is limited to users on a local area network (LAN) 
as is the Boeing MLS Lan. 

[0008] Trusted hosts are host computers that provide 
security for a network by reviewing and controlling the 
20 transmission of all data on the network. For example, 
the U.S. National Security Agency (NSA) has initiated a 
program called Secure Data Network System (SDNS) 
which seeks to implement a secure protocol for trusted 
hosts. In order to implement this approach, the installed 
25 base of existing host computers must be upgraded to 
run the secure protocol. Such systems operate at the 
Network or Transport Layers (Layers 3 or 4) of the Open 
Systems Interconnection (OSI) model. 
[0009] Encryption devices are used in a network en- 
30 vironment to protect the confidentiality of information. 
They may also be used for separation of data types or 
classification levels. Packet encryptors or end-to-end 
encryption (EEE) devices, for instance, utilize different 
keys and labels in protocol headers to assure the pro- 
35 tection of data. However, these protocols lack user ac- 
countability since they do not identify which user of the 
host is using the network, nor are they capable of pre- 
venting certain users from accessing the network. EEE 
devices typically operate at the Network Layer (Layer 3) 
*o of the OSI model. There is a government effort to devel- 
op cryptographic protocols which operate at other pro- 
tocol layers. 

[0010] It would be highly desirable to provide multi- 
level security in a non-secure environment, i.e.. where 
45 both the network and the hosts are not trusted, so that 
existing hosts and network assets would not have to be 
replaced by trusted hosts or secure network assets. It 
is also required that such an MLS system must provide 
user accountability and data integrity during all phases 
50 of operation within the network. 

Disclosure of the Invention 

[0011] In accordance with the present invention, a 
55 network security apparatus and method for a network 
comprises a secure network interface unit (SNIU) cou- 
pled between each host or user computer unit, which 
may be non-secure, and a network, which may be non- 
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secure, and a security management (SM) architecture, 
including a security manager (SM) connected to each 
of the SNIUS for controlling their operation and config- 
uration on the network. Each SNIU is operative at a ses- 
sion layer of interconnection which occurs when a user 
on the network is identified and a communication ses- 
sion is to commence. When an SNIU is implemented at 
each computer unit to be secured on the network, a glo- 
bal security perimeter is provided for ensuring security 
policy enforcement, controlled communication release, 
controlled communication flow, and secure session pro- 
tocols through each computer unit interface. The SM ar- 
chitecture is implemented to ensure user accountability, 
configuration management, security administration, and 
cryptographic key management among the SNIUS. 
[0012] In a preferred embodiment, the SNIU is con- 
figured to perform a defined trusted session layer pro- 
tocol (TSP), including the core functions of user inter- 
face or service interface, session manager, dialog man- 
ager, association manager, data sealer, and network in- 
terface. The user/service interface functions allow a us- 
er to access the network through the SNIU, including 
translating data to the format used in the SNIU, passing 
data between the computer unit and the SNIU, and pro- 
viding access to communication ports through the SNIU. 
Significant portions of the user/service interface do not 
require the same level of trust as the rest of TSP. This 
allows these portions to be logically and physically sep- 
arated from the rest of TSP without effecting the under- 
lying security of the system as a whole. The session 
manager functions include user identification and audit, 
session setup and termination, and issuing commands 
between the user interface and the dialog manager. The 
dialog manager functions control the data path estab- 
lished in the SNIU, including dialog identification and au- 
dit, dialog request validation, setup, and termination, ap- 
plying and reviewing block headers for transmitted data, 
and issuing commands between the session manager 
and the association manager. The association manager 
functions control the transmission of data on the data 
path with a remote SNIU, including SNIU identification 
and audit, association request validation, setup, and ter- 
mination, invoking and managing sealer keys for en- 
crypting transmitted data, and issuing commands be- 
tween the dialog manager and the network interface. 
The network interface functions allow the transmission 
of data and commands between the SNIU and the net- 
work. 

[001 3] The Security Manager (SM) performs network 
security functions, including security administration of 
the core manager functions of the SNIUs. In the pre- 
ferred embodiment, the SM functions are distributed 
over three platforms, i.e., a SNIU hosted SNIU security 
agent (SSA), an area security manager (ASM), and a 
network security manager (NSM). The SSA exchanges 
data and commands with its assigned SNIU, and per- 
forms initialization, configuration control, access con- 
trol, public key management, audit/alarms, and other 



services for the SNIU. The ASM manages the security 
functions for a group of SNIUs in a defined area. The 
NSM manages the security functions of the ASMs for 
the network as a whole. 

5 

Brief Description of the Drawings 

[0014] FIG. 1 is a schematic diagram of an MLS net- 
work system in accordance with the invention. 
10 [0015] FIG.2 is a schematic diagram of a variation of 
the inventive concept as applied to an internetwork sys- 
' tern. 

[001 6] FIGS. 3A, 3B, and 3C are schematic diagrams 
of a secure network interface unit (SNIU) in accordance 

is with the invention. 

[0017] FIGS. 4A - 4F are schematic diagrams of the 
data and command structure of the SNIU unit. 
[001 8] FIGS. 5A - 5D are schematic diagrams of a se- 
curity management architecture in the present inven- 

20 tion. 

[001 9] FIGS. 6A and 6B illustrate the steps for a path 
setup in accordance with the MLS system of the present 
invention. 

25 Best Mode for Carrying Out the Invention 

[0020] In the present invention, a secure network in- 
terface unit (SNIU) is used to control communications 
between a respective host or user computer unit and the 

30 network at a "session layer" of interconnection which oc- 
curs when a user on the network is identified and a com- 
munication session is to commence. For example, the 
industry-standard Open Systems Interconnection (OS I) 
model, defines seven layers of a network connection: 

35 (1 ) physical; (2) data link; (3) network; (4) transport; (5) 
session; (6) presentation; and (7) application. In the 
present invention, the network security measures are 
implemented at the Session Layer 5. The placement of 
security at the Session Layer allows existing network as- 

40 sets and existing network protocols at the Transport 
Layer 4 and lower to continue to be used, thereby avoid- 
ing the need to replace an installed network base for the 
implementation of the multi-level security system. The 
connected host or user equipment and the network 

45 backbone are therefore not required to be secure (trust- 
ed). Conventionally, OSI network applications employ 
CCITT X.215 which is a non-secure session layer pro- 
tocol. None of the prior multi-level security systems em- 
ploy the security measures described herein in the Ses- 

50 sion Layer. 

[0021] Referring now to FIG. 1 , there is shown a net- 
work provided with a security system. A plurality of host 
or user computer units, such as a terminal server TS, 
host unit S, host-server unit S-U, user unit U, or personal 

55 computer (PC), are coupled to a network through re- 
spective secure network interface units (SNIUs). Multi- 
user terminal, host or host server units are indicated by 
shaded squares, whereas single-user terminal, host 
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personal computer, or user units are indicated by white 
squares. The SNIUs encapsulate the network with a ring 
of^secure units which enforce both discretionary and 
mandatory security policies. The SNIUs provide security 
policy enforcement, a user communication release in- 
terface, controlled communication flow when intercon- 
nected to non-secure other networks, and session se- 
curity protocols. The discretionary security policies are 
indicated as extending to the multi-user computer units 
which generally have some form of discretionary user 
access control. 

[0022] The SNIU is capable of passing digital data, 
voice and video traffic so as to provide the full function- 
ality required for a Trusted Session Protocol (TSP). The 
TSP uses the facilities of the lower level protocols to 
transmit data across the network. To this end, and to 
provide flexibility, the specialized network interface 
SNIU is designed to allow coupling of the TSP with ex- 
isting (non-secure) equipment and underlying network. 
[0023] A security administration architecture, which 
includes a security manager SM coupled to the network, 
provides user accountability, configuration manage- 
ment, security administration and alarm handling, and 
sealer (cryptographic) key management. A host unit is 
not required to be trusted as the SNIU prevents any traf- 
fic not destined for the host from getting to the host. The 
network is not required to be trusted as the SNIU pre- 
vents unauthorized data on the network from getting to 
or from the host. 

[0024] Referring to FIG. 2, a variation is shown em- 
ploying SNIUs for internetwork connections. A bridge 
SNIU is used between two private networks (shaded 
ovals) using the same security labeling semantics but 
which operate at two different protection levels. The net- 
works may be controlled by a single network security 
manager SM, or each network can have its own security 
manager SM. A gateway SNIU is used between two net- 
works using different security labeling semantics, for ex- 
ample, a Type A network may use labels (Top Secret, 
Secret, Confidential, Unclassified) and a Type B net- 
work may use the labels (Most Secret, Secret, Restrict- 
ed, Confidential, Releasable). A guard SNIU is used to 
support communications between a private network and 
a public network. 

[0025] The network security system of the invention 
is divided into two major functional areas: the Trusted 
Session Protocol (TSP) hosted by the SNIU, which is 
responsible for the management of the data path and 
the passing of data; and the Security Management ar- 
chitecture, consisting principally of the Security Manag- 
er (SM), which is responsible for security management 
of the network. 

[0026] The configuration of the TSP varies with the 
SNIU environment. As shown in FIG. 3A, the SNIU for 
a multi-user host includes a Session Manager module, 
a Dialog Manager module, an Association Manager & 
Sealer module, and a Network Interface. A User Inter- 
face is provided with the multi-user host. In FIG. 3B, the 



SNIU of a single-user host incorporates the User Inter- 
face with the other functions. As illustrated conceptually 
in FIG. 3C, the communication interface with the user is 
mediated by Session Manager, the interface with the 
5 network by the Association Manager, and the commu- 
nication flow between the two ends by the Dialog Man- 
ager. 

[0027] For multi-user computers, incorporation of the 
User Interface with the host computer opens the mem- 
10 ory resources of the host to provide message boxes for 
all authorized users. The message boxes are protected 
by the discretionary access control policies of the host. 
In the special case of a personal computer (PC), a multi- 
level release option may be provided which allows the 
sending of messages at a security level below the level 
at which the PC is operating. An interface to the SNIU 
is required to allow the operator to review the message 
before release. 



[0028] The security system of the present invention 
may implement a number of security policies suitable to 
the circumstances of a given network environment. The 
major policy areas are: discretionary access control; 
mandatory access control; object reuse; labeling; iden- 
tification and authentication; audit; denial of service de- 
tection; data type integrity; cascading control; and cov- 
ert channel use detection. 

[0029] Discretionary access control is a means of re- 
stricting access to objects (data files) based on the iden- 
tity (and need to know) of the user, process, and/or 
group to which the user belongs. It may be used to con- 
trol access to user interface ports based on the identity 
of the user. For a single-user computer unit, this mech- 
anism may be implemented in the SNIU, whereas for a 
multi-user host, the DAC control may be implemented 
at the host machine. Discretionary access control may 
also be implemented as discretionary dialog address- 
ing, wherein the addressing of ail communications orig- 
inated by a user is defined, and for user discretionary 
access denial, wherein a user may refuse to accept a 
communication from another user. 
[0030] Mandatory access control is a means of re- 
stricting access to objects based on the sensitivity (as 
represented by a classification label) of the information 
contained in the objects, and the formal authorization (i. 
e., clearance) of the user to access information of such 
sensitivity. For example, it may be implemented as dia- 
log lattice-based access control, wherein access re- 
quires a correct classification level, integrity level, and 
compartment authorization, dialog data-type access 
control, wherein correct data type authorization is re- 
quired for access, and cascade protection, wherein con- 
trols are provided to prevent unauthorized access by 
cascading user access levels in the network. 
[0031] Object reuse is the reassignment and reuse of 
a storage medium (e.g., page frame, disk sector, mag- 
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netic tape) that once contained one or more objects to 
be secured from unauthorized access. To be secured, 
reused, and assigned to a new subject, storage media 
must contain no residual data from the object previously 
contained in the media. Object reuse protection may be 
implemented by port reuse protection, session reuse 
protection, dialog reuse protection, and/or association 
reuse protection. 

[0032] Labeling requires that each object within the 
network be labeled as to its current level of operation, 
classification, or accreditation range. Labeling may be 
provided in the following ways: user session security la- 
beling, wherein each user session is labeled as to the 
classification of the information being passed over it; di- 
alog labeling, wherein each dialog is labeled as to the 
classification and type of the information being passed 
over it; and host accreditation range, wherein each host 
with access to the secured network is given an accred- 
itation range, and information passing to or from the host 
must be labeled within the accreditation range. 
[0033] Identification is a process that enables recog- 
nition of an entity by the system, generally by the use of 
unique user names. Authentication is a process of ver- 
ifying the identity of a user, device, or other entity in the 
network. These processes may be implemented in the 
following ways: user identification; user authentication; 
dialog source authentication, wherein the source of all 
communication paths is authenticated at the receiving 
SNIU before communication is allowed; SNIU source 
authentication, wherein the source SNIU is authenticat- 
ed before data is accepted for delivery; and administra- 
tor authentication, wherein an administrator is authenti- 
cated before being allowed access to the Security Man- 
ager functions. 

[0034] An audit trail provides a chronological record 
of system activities that is sufficient to enable the review 
of an operation, a procedure, or an event. An audit trail 
may be implemented via a user session audit, a dialog 
audit, an association audit, an administrator audit, and/ 
or a variance detection, wherein audit trails are analyzed 
for variance from normal procedures. 
[0035] Denial of service is defined as any action or 
series of actions that prevent any part of a system from 
functioning in accordance with its intended purpose. 
This includes any action that causes unauthorized de- 
struction, modification, or delay of service. The detec- 
tion of a denial of service may be implemented for the 
following condition: user session automatic termination, 
such as when unauthorized access has been attempt- 
ed; user machine denial of service detection, such as 
detection of a lack of activity on a user machine; dialog 
denial of service detection; association denial of service 
detection, such as detection of a lack of activity between 
SNIUs; and/or data corruption detection, such as when 
an incorrect acceptance level is exceeded. 
[0036] Covert channel use is a communications chan- 
nel that allows two cooperating processes to transfer in- 
formation in a manner that violates the system's security 



policies. Detection of covert channel use may be imple- 
mented, for example, by delay of sen/ice detection, such 
as monitoring for unusual delays in message reception, 
or dialog sequence error detection, such as monitoring 

5 for message block sequence errors. 

[0037] The functions of the Session Layer Protocol 
(SLP) performed by the secure network interface unit 
(SNIU) and the security management (SM) architecture 
will now be described. These functions are designed to 

10 implement many of the security policies described 
above. It is to be understood that these functions are 
only illustrative examples of a wide range of security 
functions that can be implemented using the SNIU/SLP 
and SM architecture. 

15 

Session Layer Protocol (SLP) and SNIU 

[0038] The main functions of the SLP are to set up 
paths for data, terminate paths for data, pass data over 
established paths, and enforce security policies as di- 
rected by the SM. Secondary functions of the SLP in- 
clude interacting with the user machine, identifying the 
user and providing a data path between the user ma- 
chine and the SNIU, identifying the user process and 
providing a secure data path between local and remote 
SNIUs, protecting data transiting the data path, and in- 
teracting with the network. 

[0039] To accomplish these functions, the SLP is di- 
vided into six sublayers: the User Interface; the Session 
Sublayer (Manager); the Dialog Sublayer (Manager); 
the Association (Manager) and Data Sealer Sublayer; 
and the Network Interface. FIGS. 4A - 4F illustrate the 
operation at each of these sublayers in greater detail. 
For purposes of the following description, a session is 
defined as a period of authorized network usage in 
which a user who conducts a dialog has been identified 
and verified. A dialog defines a data path between a pair 
of processes. An association defines a data path be- 
tween a pair of SNIUs, including any data sealer keys 
used in securing the data. 

[0040] In FIG. 4A, the User Interface provides the 
means for the user to access the network. For multi-user 
hosts, the User Interface may reside within the host ma- 
chine, whereas for single-user machines, the User In- 
terface may reside within the SNIU coupling the user 
machine to the network. Communication with the net- 
work is provided via a number of command ports, sim- 
plex receiving and sending ports, duplex ports, and a 
multicast send port. Multiple ports can be set up for each 
user. The User Interface communicates only through the 
Session Manager. It can perform the following functions: 
translating data from the format used in the user ma- 
chine to the format used in the SNIU; passing data be- 
tween the user machine and the SNIU; providing ports 
for communication between the user and the network 
through the SNIU; providing user information to the Ses- 
sion Manager; equalizing data loads when connected to 
a number of SNIUs; port management on command 
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from the Session Manager; and discretionary access 
controj . 

[0041] In FIG. 4B, the Session Manager manages the 
sessions with users. The Session Manager communi- 
cates with the User Interface, the Dialog Manager, and 
the SNIU Security Manager (SSM). The Session Man- 
ager has the following functions: user identification; au- 
dit; alarms; session setup and termination; session time 
out, wherein inactive sessions are terminated after a giv- 
en amount of time; accepting session access requests 
to an existing session from a remote SNIU; commands 
to the Dialog Manager; maintenance of user access set- 
tings (passwords, access lists); passing data over an ex- 
isting dialog between the User Interface and the Dialog 
Manager; and management of the User Interface, in- 
cluding commands for reinitialization, termination, and 
creation and deletion of ports. 
[0042] In FIG. 4C, the Dialog Manager supports du- 
plex, simplex receive, simplex send, and multicast dia- 
logs. The Dialog Manager communicates with the Ses- 
sion Manager, the Association Manager, and the SSM. 
During the establishment of a communications path, 
both discretionary and mandatory access control mech- 
anisms are used to assure that there is no security com- 
promise. The Dialog Manager includes the following 
functions: dialog setup and termination; accepting a re- 
quest to initiate or terminate a dialog from a remote 
SNIU; validating a dialog request using user access lists 
and process classifications; audits; alarms; assigning 
local dialog numbers and obtaining network dialog num- 
bers from a remote SNIU; identification of processes in- 
volved in a dialog; passing data over an existing asso- 
ciation between the Session Manager and the Associa- 
tion Manager; applying and validating block headers for 
transmitted data; issuing commands to the Association 
Manager; requesting the SSM to validate user data; 
mapping dialog numbers to assigned port numbers; and 
acknowledging the receipt of block data transmissions. 
[0043] In FIG. 4D, the Association Manager supports 
duplex, simplex send, and simplex receive associations 
with remote SNIUs. The Association Manager commu- 
nicates with the Dialog Manager, the Sealer, and the 
SSM. It has the following functions: association setup 
and termination; accepting a request to initiate or termi- 
nate an association from a remote SNIU; validating an 
association request according to the security policies of 
the network; audits; alarms; identifying remote SNIUs; 
passing data with other SNIUs over network facilities; 
invoking the Sealer and managing sealer keys for en- 
crypting transmitted data; and issuing commands to the 
Network Interface. 

[0044] In FIG. 4E, the Sealer communicates with the 
Association Manager and the SSM, and has the follow- 
ing functions: storing all keys used in sealing data; per- 
forming the sealing and unsealing algorithms (e.g., key 
exponentiation) on a data block upon command from the 
Association Manager; and generating new keys for the 
SNIU upon command from the SSM. The Association 



Manager, in conjunction with the Sealer, provides integ- 
rity protection and assures that the data is delivered to 
the correct destination. The Sealer uses keys to trans- 
form the entire data block. Alternatively, one could per- 

5 form a sum check on the data and seal the sum check 
as is known in the art. When the data block is passed 
through the Sealer or a M DC upon reaching its destina- 
tion, the block is unsealed. Any remaining errors are 
considered security events. 

10 [0045] In FIG. 4F, the Network Interface to the network 
communicates only with the Association Manager, and 
has the following functions: passing data and informa- 
tion between the Association Manager and the network; 
and passing commands from the Association Manager 

15 to the network. 

Security Management Architecture and SM 

[0046] The security management architecture in- 
20 eludes the Security Manager (SM) which performs the 
network security functions. As illustrated in FIG. 5 A, the 
SM functions are distributed over three platforms: a 
SNIU security manager (SSM); an area security man- 
ager (ASM); and a network security manager (NSM). 
25 The distributed platforms provide fault tolerance to the 
security system. The SM platforms communicate with 
each other using the SLP described above. The SM's 
primary functions include system initialization, network 
recovery, network expansion/contraction, audit/alarms, 
30 key management, configuration control, access control, 
system administration, directory services, time coordi- 
nation, and internetwork support. 
[0047] For system initialization, initial keys, element 
identifications, and software loadings must be generat- 
es ed and distributed to the subordinate elements of the 
network system. SNIUs must be initialized. All initial net- 
work topology information must be entered into the sys- 
tem. The network is initialized by subordinate elements 
establishing dialogs with their primary controlling 
40 agents. Under this approach, each of the SNIUs will be 
powered up, keyed, then will seek to establish a dialog 
with its assigned ASM. If unsuccessful, the SNIU may 
periodically attempt to establish a dialog with the prima- 
ry or an alternate ASM until it has succeeded. After suc- 
45 cessful setup, the operational configurational informa- 
tion is downloaded to the respective SNIUs. The ASMs 
are initialized in an analogous manner by the NSM. In- 
itialization of the system elements from the bottom up 
eliminates unnecessary network overhead. 
50 [0048] In the event of single ASM failures, the network 
can continue to operate virtually unaffected. Automatic 
procedures are effected for switchover to an alternate 
ASM or re-entry of a failed ASM. The affected SNIU 
seeks an alternate ASM, establishes a new association, 
55 and uploads the current configuration data. For re-ini- 
tialization of an ASM, the ASM attempts to come on line, 
negotiates SNIU pairings with all other ASMs, establish- 
es associations with the assigned SNIUs, and com- 
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mands the SNIUs to switch to a new primary agent. Sim- 
ilar procedures are used for new assignments in net- 
work expansion or contraction. 
[0049] The SM also collects and stores the audit in- 
formation generated by the SNIUs in response to the 
SM's criteria. As illustrated in FIG. 5B, audit data are 
captured locally at the SNIUs, collected at the interme- 
diate ASMs, and analyzed centrally at the NSM. The SM 
also detects when an alarm has occurred and deter- 
mines the most appropriate action to take to resolve the 
problem. When no automated solution is possible, the 
SM presents the problem to the security administrator 
for resolution. 

[0050] For key management, the SM is responsible 
for the generation, distribution, accounting, and destruc- 
tion of key certificates that ensures the system integrity. 
As illustrated in FIG. 5C, the NSM generates initial RSA 
key pairs and certificates. The SNIU sends a public key 
in response to a NSM key request. The NSM returns a 
new certificate if the public key is validated. In addition, 
the NSM dictates when keys are to be generated by the 
SNIUs. The SNIUs contain all the hardware and algo- 
rithms necessary to generate the key pairs. With the ex- 
ception of the initial key pairs, the secret keys will not 
be known outside of the local SNIU. 
[0051] For configuration control, all system elements 
are responsible for maintaining the operational configu- 
ration information necessary for establishing and con- 
tinuing secure communications. A hierarchy of privileg- 
es is maintained, including: host privileges, such as host 
accreditation range, SNIU addresses, classification of 
host, host name, and data type authorizations; user/ap- 
plications privileges, such as user/application authori- 
zation range, host association, data type authorization, 
user application name, and user audit switch; and SNIU 
privileges, such as SNIU ID/type, network address, au- 
dit event selection list, user list, and accreditation range. 
[0052] The SM can support full system administration 
capabilities to the network, including health and status 
polling, privilege management, and backup manage- 
ment. As in the case of audits described above, the sta- 
tus data is captured locally at the SNIUs, collected at 
the intermediate level of the ASMs through polling, then 
analyzed for re-assignments at the NSM. 
[0053] The SM also provides directory services to the 
SLP in support of association setup, as illustrated in FIG. 
5D. A directory resides on a primary ASM for a given 
SNIU. When the SNIU requires access to another SNIU, 
the ASM is queried for the information. If it does not exist 
at that ASM, the ASM broadcasts an information request 
to all other ASMs. The NSM maintains a full directory 
that is subordinate to and updated from the ASMs. Each 
ASM maintains a master directory for its subordinate 
SNIUs, and a cache directory for a smaller set of con- 
nections requested by its subordinate SNIUs. Each 
SNIU maintains a cache of directory entries associated 
with the most recent connections. 
[0054] For internetwork support, the SM can provide 



services such as an internetwork directory, internetwork 
digital signature support, and negotiation of security pol- 
icies/semantic. In a bridge SNIU, after a user is located 
on an alien network of similar security semantics, all us- 

5 ers are provided the address of the bridge SNIU for com- 
munications. A gateway SNIU is similar to a bridge SNIU 
with the exception of the requirement to determine the 
semantic equivalents. In addition, the gateway SNIU is 
initialized and controlled by two NSMs. When commu- 

10 nicating to an alien (non-secure) network, the guard 
SNIU treats the alien network as a large host. However, 
no user responsibility is expected on the alien network. 
The guard SNIU provides the security and connectivity 
only to the network, not any remote host. 

15 

Examples of System Implementation 

[0055] In order to illustrate the establishment of a con- 
nection using the protected Session Layer protocol 

20 (SLP) of an SNIU between a user or host computer and 
a network, either of which may be non-secured, the fol- 
lowing example of a path setup for a communication on 
the network is described in step-by-step fashion. In an 
actual implementation, the user host is a VT320 terminal 

25 of Digital Equipment Corporation. The communication 
link is a RS-232 serial line, at a line speed of 9600 bits/ 
sec. The User Interface resides within the SNIU. The 
network is a TCP/IP Ethernet LAN. The Network Inter- 
face resides in the SNIU and is connected to the network 

30 by a Racal/lnterlan TCP/IP Ethernet card (Model 
NP627). 

[0056] In FIG. 6A, the steps for a path setup by a send- 
er are illustrated. At A1 , the user requests a session be- 
fore being granted access to the network. The User In- 

35 terface translates the data at A2, and provides the user 
information to the Session Manager at A3. The Session 
Manager requests user information from the Security 
Manager at A4, and the Security Manager returns the 
information at A5. The Session Manager validates the 

40 user at A6, then sets up a session at A7. If unable to 
validate the user, an audit message is generated and 
the user is denied access. The Session Manager sends 
an audit message of the session setup to the Security 
Manager at A8. 

45 [0057] The user then sends a dialog request at A9. 
The Dialog Manager identifies the sending process at 
A10, and requests destination information from the Se- 
curity Manager at A1 1 , which the Security Manager pro- 
vides at A1 2. The Dialog Manager then issues an asso- * 

50 ciation setup command to the Association Manager at 
A13. The Association Manager sends out a certificate 
at A14 and an association setup message at A1 5 to the 
destination on the network. The Association Manager 
then receives a return certificate from the remote SNIU 

55 of the destination address at A16 and an association 
setup acknowledgement at A17. The Association Man- 
ager commands the Sealer to unseal the certificate at 
A18 and validates the unsealed certificate at A19. The 
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Association Manager commands the Sealer to unseal 
the association setup acknowledgement at A20 and 
sets up the association at A21. The Association Manag- 
er then sends an audit message to the Security Manager 
atA22. 

[0058] The Dialog Manager selects a dialog number 
and type and sends a request to the remote SNIU at 
A23, and receives the number and type acknowledge- 
ment at A24. The Dialog Manager accepts the dialog at 
A25, then sends an audit message to the Security Man- 
ager at A26. The Session Manager commands creation 
of a port for the dialog at A27, then sends an audit mes- 
sage to the Security Manager at A28. The User Interface 
creates a port for the dialog at A29, whereupon the 
transmission of the requested communication can take 
place. 

[0059] In FIG. 6B, the steps for the path setup of the 
receiving SNIU are shown. The Association Manager 
receives the certificate of the sending SNIU at B1 , com- 
mands the Sealer to unseal it at B2, and validates it at 
B3. It also receives the association setup message at 
B4, commands the Sealer to unseal it at B5, validates 
the association at B6, sets up the association at B7, 
sends a return certificate to the sending SNIU at B8 and 
an acknowledgement message at B9, then sends an au- 
dit message to the Security Manager at B 1 0. The Dialog 
Manager receives the dialog set up request from the As- 
sociation Manager at B11, requests user information 
from the Security Manager at B12, which is provided at 
B13, identifies the local process at B14, validates the 
dialog request at B15, accepts the dialog at B16, sends 
the dialog number and type acknowledgement to the As- 
sociation Manager at B17 and an audit message at B18. 
The Session Manager commands a port for the dialog 
at B19 and sends an audit message at B20, whereupon 
the User Interface responds at B21 and begins to trans- 
late data for the user at B22. 

[0060] The SNIU may be implemented in the form of 
a software program executed on a general purpose 
computer coupled as a server between a host machine 
and the network. Alternatively, it may be programmed 
as a network communications program resident in and 
executed from the host machine. However, for security 
purposes, the preferred form of the SNIU is a closed 
module having the security program functions resident 
in ROM and executed by a dedicated microprocessor. 
The closed module can incorporate the communications 
link or modem to the network. 

[0061] The SSM may be a software program co-resi- 
dent with the SNIU program at a host site, or may be 
executed on a separate computer unit connected to the 
SNIU through the network. The ASM may be a software 
program co-resident with an SSM at a large host site, 
or may be executed on a separate computer unit for an 
area connected to the assigned SSMs through the net- 
work. The NSM is preferably operated from a separate, 
secure computer unit connected to the network and op- 
erated by the overall security administrator. The partic- 



ular physical locations and forms of implementation for 
the SNIUs and distributed platforms of the SM may vary 
depending upon the network configuration, desired se- 
curity policies, and user audience. 

5 [0062] It rs to be will be understood that the embodi- 
ments described herein are merely exemplary of the 
principles of the invention, and that a person skilled in 
the art may make many variations and modifications 
without departing from the spirit and scope of the inven- 

10 tion. All such variations and modifications are intended 
to be included within the scope of the invention as de- 
fined in the appended claims. 



15 Claims 

1. A network security apparatus for a computer net- 
work having at least one user coupled thereto, the 
at least one user selected from a group consisting 

20 of a host computer and a second untrusted network, 
comprising: 

a secure network interface unit (SNIU) having 
a first coupling to said at least one user and a 

25 second coupling to the computer network, 

which operates using a layered communica- 
tions protocol, said SNIU providing security 
control by controlling access to the computer 
network at least one layer above the transport 

30 layer of the communications protocol 

wherein the SNIU is implemented to create a 
global security perimeter for end-to-end communi- 
cations; and 

35 at least a portion of a security management 

architecture, including a SNIU security manager 
(SSM) for causing said SNIU to be initialized, oper- 
ated and configured for protecting the security of 
communications transmitted through said SNIU, 

<o said SSM capable of participating in the implemen- 
tation of at least one of a plurality of security poli- 
cies. 

2. The network security apparatus according to Claim 
45 1 , wherein the network security apparatus provides 

multilevel security whereby a particular user is 
granted access to at least one network resource in 
accordance with a user profile. 

50 3. The network security apparatus of Claim 2, where- 
by the user profile indicates whether the user has 
access to said resource based on a user security 
classification. 

55 4. The network security apparatus of Claim 3, where- 
by the user security classification is one of Secret 
and Top Secret. 
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5. The network security apparatus according to Claim 
1, wherein said plurality of security policies is se- 
lected from the group consisting of discretionary ac- 
cess control, mandatory access control, object re- 
use, labeling, denial of service detection, data type 
integrity, cascading control and covert channel use 
detection. 

6. The network security apparatus according to Claim 
1 , wherein said plurality of security policies compris- 
es user identification and authentication. 

7. The network security apparatus according to Claim 
1 , wherein said security perimeter is protected by a 
security association comprising at least one of an 
authentication protocol and a data scaling protocol. 

8. The network security apparatus according to Claim 
7, wherein said security association comprises a 
data sealer key in support of said global security pe- 
rimeter for end-to-end communications. 

9. The network security apparatus according to Claim 
7, wherein said global security perimeter path com- 
prises a secure data path that is established be- 
tween a pair of SNIUs. 

10. The network security apparatus according to Claim 
7, further comprising: 

a data sealer; 

an association manager, the association man- 
ager comprising a first coupling to the data 
sealer, and a second coupling to the SSM; 
whereby the association manager at least per- 
forms the functions of invoking the Sealer and 
managing sealer keys for encrypting transmit- 
ted data. 

1 1 . The network security apparatus according to Claim 
10, wherein the association manager additionally 
performs at least one of the functions of: association 
setup and termination; accepting a request to initi- 
ate or terminate an association from a remote SN- 
TU; validating an association request according to 
the security policies of the network; audits; alarms; 
and identifying a remote SNIUs. 

12. The network security apparatus according to Claim 
1, said SNIU further comprising an association 
manager operable to establish and control a user 
session between the at least one user and the net- 
work, whereby the user session is established at a 
layer of interconnection above the transport layer. 

13. The network security apparatus according to Claim 
12, whereby the user session is established at the 
session layer of interconnection. 



14. The network security apparatus according to Claim 
3, said SNIU further comprising a dialog manager 
in communication with said association manager 
and said security manager for setting up, control- 

5 ling, and terminating a data path established in said 
SNIU. 

15. The network security apparatus according to Claim 
1 , said SNIU further comprising a session manager 

io for identifying a user requesting access to the net- 
work. 

16. The network security apparatus according to Claim 
1, said SNIU further comprising an association 

15 manager which operates to establish and control a 
user session at a layer above the transport layer of 
interconnection between the at least one user and 
the network if the at least one user is verified for 
access. 

20 

17. The network security apparatus according to Claim 
1 , wherein said SNIU further comprises a module 
that implements at least a portion of a defined trust- 
ed session layer protocol (TSP). 

25 

18. The network security apparatus according to Claim 
1 , wherein said SNIU is operable to prevent covert 
information flow within said global security perime- 
ter for end-to-end communications. 

30 

19. The network security apparatus according to Claim 
1 , wherein said SNIU includes a data sealer for val- 
idating data transmitted through said SNIU. 

35 20. The network security apparatus according to Claim 
1, wherein functions of said SSM comprise ex- 
changing data and commands with said SNIU, per- 
forming initialization, and managing parameters re- 
lated to access control, authentication, and data 

40 sealer keys. 

21 . The network security apparatus according to Claim 
1 , wherein functions of said SSM comprise sending 
a public key in response to a remote network re- 

45 quest. 

22. The network security apparatus according to Claim 
1, wherein the SSM participates in a key manage- 
ment protocol to establish a set of sealer keys to be 

50 used in a security association. 

23. The network security apparatus according to Claim 
1, wherein said user corresponds to said second 
network, said SNIU is coupled between the network 

55 and the second network, and said SNIU is operative 
to act as a gateway between said networks. 

24. The network security apparatus according to Claim 
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23, whereby said first and second networks may be 
individually secure or non-secure without compro- 
s mising security of communications within said glo- 
bal security perimeter 

25. The network security apparatus according to Claim 
1 , wherein said SNIU is implemented as a software 
module interposed between a user layer and a 
transport layer of interconnection. 

26. The network security apparatus according to Claim 
1 , wherein said SNIU is implemented as a hardware 
device having a first port coupled to said user and 
a second port coupled to said network. 

27. The network security apparatus according to Claim 
1, wherein the computer network may be individu- 
ally secure or non-secure without compromising se- 
curity of communications within said global security 
perimeter. 

28. A method of providing network security for a com- 
puter network that operates using a layered com- 
munications protocol and has at least one user cou- 
pled thereto, the at least one user selected from a 
group consisting of a host computer and at least a 
second network, said method comprising: 

interposing a secure network interface unit 
(SNIU) between at least one user and the com- 
puter network, and establishing between the at 
least one user and the computer network an in- 
terconnection at a layer above the transport lay- 
er of the communications protocol; 
causing said SNIU to be operated and config- 
ured in support of the security association; and 
participating in the implementation of an access 
control protocol that operates at a layer above 
the transport layer by verifying if an identified 
user is authorized for access to at least a re- 
source coupled to the computer network; 
whereby the SNIU is implemented to create a 
global security perimeter for end-to-end com- 
munications. 

29. The method of providing network security according 
to Claim 28, further comprising: 

providing at the SNIU multilevel security where- 
by a particular user is granted access to at least 
one network resource in accordance with a us- 
er profile. 

30. The method of providing network security according 
to Claim 29, whereby the user profile indicates 
whether the user has access to said resource based 
on a user security classification. 



31 . The method of providing network security according 
to Claim 30, whereby the user security classification 
is one of Secret and Top Secret 

5 32. The method of providing network security according 
to Claim 28, wherein said plurality of security poli- 
cies is selected from the group consisting of discre- 
tionary access control, mandatory access control, 
object reuse, labeling, denial of service detection, 
io data type integrity, cascading control and covert 
channel use detection. 

33. The method of providing network security according 
to Claim 28, wherein said plurality of security poli- 

15 cies comprises user identification and authentica- 
tion. 

34. The method of providing network security according 
to Claim 28, further comprising: 

20 

implementing at least a portion of at least one 
of an authentication protocol and a data sealing 
protocol. 

25 35. The method of providing network security according 
to Claim 28, further comprising: 

applying a data sealing process using a data 
sealer key to data prior to transmission to sup- 
30 port said global security perimeter for end-to- 

end communications. 

36. The method of providing network security according 
to Claim 28, further comprising: 

35 

accepting a request to initiate a security asso- 
ciation from a remote SNIU; and 
establishing a set of sealer keys to be used for 
encrypting transmitted data with said security 
*o association. 

37. The method of providing network security according 
to Claim 28, further comprising: 

45 implementing at least a portion of a defined 

trusted session layer protocol (TSP). 

38. The method of providing network security according 
to Claim 28, further comprising: 

50 

managing a set of parameters related to user 
identification for access control, user identifica- 
tion for authentication, and data sealing. 

55 39. The method of providing network security according 
to Claim 28, further comprising: 

sending a public key in response to a remote 
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network request. 

40? The method of providing network security according 
to Claim 28, further comprising: 

implementing at least a portion of a key man- 
agement protocol to establish a set of sealer 
keys to be used in a security association. 

41 . The method of providing network security according 
to Claim 28, further comprising: 

performing a translation to map at least a pa- 
rameter from the semantics of the network to 
the semantics of the second network; and 
acting as a gateway between said networks. 

42. The method of providing network security according 
to Claim 28, whereby said first and second networks 
may be individually secure or non-secure without 
compromising security of communications within 
said global security perimeter. 

43. The method of providing network security according 
to Claim 28, wherein the computer network may be 
individually secure or non-secure without compro- 
mising security of communications within said glo- 
bal security perimeter. 

44. The method of providing network security according 
to Claim 28, wherein said step of participating fur- 
ther comprises the step of establishing a defined 
trusted session layer protocol (TSP) through said 
SNIU, said TSP constituting said interconnection. 

45. The method of providing network security according 
to Claim 28, further comprising the step of control- 
ling a data path established in said SNIU. 



cording to a layered communications protocol, 
the communications network supporting the 
transport of information between at least a sub- 
set of the user devices using the communica- 
5 tions protocol at least at the transport layer and 

below; 

a plurality secure network interface units (SN- 
lUs), each SNIU being interposed between at 
least one user device and the communications 
10 network to establish an interconnection there- 

between at a layer above the transport layer of 
the communications protocol; and 
a security management architecture, including 
a security manager (SM) coupled to said SNIU 
15 for causing said SNIU to be initialized, operated 

and configured for protecting the security of 
communications transmitted through said 
SNIU, said SM capable of implementing at least 
one of a plurality of security policies. 

49. The communications network system according to 
Claim 48, wherein at least one of said plurality of 
SNIUs is operative to act as a gateway between net- 
works. 

50. The communications network system according to 
Claim 48, wherein at least one of said plurality of 
SNIUs comprises an SNIU security manager for 
causing said SNIU to be initialized, operated, and 
configured for protecting the security communica- 
tions transmitted through said SNIU. 

51. The communications network system according to 
Claim 48, wherein said SM comprises: 

a SNIU security manager (SSM); 
an area security manager (ASM); and 
a network security manager (NSM). 



25 



30 



46. The method of providing network security according 
to Claim 28, further comprising the step of identify- 
ing a user requesting access to the computer net- 
work. 

47. The method of providing network security according 
to Claim 21, further comprising the step of control- 
ling a user session between the at least one user 
and the computer network if the at least one user is 
verified for access, whereby said user session is lo- 
cated at a layer above the transport layer. 

48. A communications network system comprising: 

a plurality of user devices, each user device be- 
ing selected from a group consisting of a host 
computerized device and at least a second net- 
work; 

a communications network that operates ac- 



40 52. The communications network system according to 
Claim 48, wherein said SM comprises at least two 
of: 

a SNIU security manager (SSM); 
45 an area security manager (ASM); and 

a network security manager (NSM). 

53. The communications network system according to 
Claim 48, wherein said SM comprises: 

50 

a first module coupled to at least one SNIU for 
initializing said SNIU and managing at least one 
security parameter used by said SNIU; and 
a second module remote from said SNIU, said 
55 second module operative to manage a set of 

security functions for a group of SNIUs in a de- 
fined area. 
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54. The communications network system according to 
Claim 48, wherein said SM further causes an inter- 

v connection to be established according to a defined 
trusted session layer protocol (TSP) through said 
SNIU. 5 

55. The communications network system according to 
Claim 48, wherein said host computerized device is 
a host computer. 

56. The communications network system according to 
Claim 48, wherein the system provides multilevel 
security whereby a particular user is granted access 
to at least one network resource in accordance with 
a user profile. 

57. The communications network system according to 
Claim 56, whereby the user profile indicates wheth- 
er the user has access to said resource based on a 
user security classification. 

58. The communications network system according to 
Claim 57, whereby the user security classification 
is one of Secret and Top Secret. 

59. The communications network system according to 
Claim 48, wherein said plurality of security policies 
is selected from the group consisting of discretion- 
ary access control, mandatory access control, ob- 
ject reuse, labeling, denial of service detection, data 
type integrity, cascading control and covert channel 
use detection. 

60. The communications network system according to 
Claim 48, wherein said plurality of security policies 
comprises user identification and authentication. 

61. The communications network system according to 
Claim 48, whereby the interconnection is estab- 
lished at the session layer of interconnection. 

62. The communications network system according to 
Claim 61, wherein said session layer comprises at 
least a portion of a defined trusted session layer 
protocol (TSP). 

63. The communications network system according to 
Claim 61, wherein said SNIUs each include a data 
sealer for validating data transmitted through each 
said SNIU. 

64. The communications network system according to 
Claim 48, wherein functions of said SM comprise 
exchanging data and commands with said SNIUs, 
and managing parameters related to access con- 
trol, authentication, and data sealer keys. 

65. The communications network system according to 



Claim 48, wherein functions of said SM comprise 
configuring a data sealer key to be used to secure 
communications among at least two SNIUs. 

66. The communications network system according to 
Claim 48, wherein at least a component of the SM 
participates in a key management protocol to estab- 
lish a set of sealer keys to be used in a security as- 
sociation. 

67. The communications network system according to 
Claim 48, whereby said communications network 
and second network may be individually secure or 
non-secure without compromising security of com- 
munications within said global security perimeter. 

68. The communications network system according to 
Claim 48, wherein said communications network 
may be individually secure or non-secure without 
compromising security of communications within 
said global security perimeter. 
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